# Tests for SamDb password change audit logging. # Copyright (C) Andrew Bartlett 2018 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """Tests for the SamDb logging of password changes. """ import samba.tests from samba.dcerpc.messaging import MSG_DSDB_PWD_LOG, DSDB_PWD_EVENT_NAME from samba.samdb import SamDB from samba.auth import system_session import os from samba.tests.audit_log_base import AuditLogTestBase from samba.tests import delete_force from samba.net import Net from ldb import (LdbError, ERR_INSUFFICIENT_ACCESS_RIGHTS, ERR_INVALID_DN_SYNTAX, ERR_NO_SUCH_ATTRIBUTE) from samba.dcerpc.windows_event_ids import ( EVT_ID_PASSWORD_CHANGE, EVT_ID_PASSWORD_RESET, EVT_ID_DIRECTORY_OBJECT_CHANGE ) USER_NAME = "auditlogtestuser" USER_PASS = samba.generate_random_password(32, 32) SECOND_USER_NAME = "auditlogtestuser02" SECOND_USER_PASS = samba.generate_random_password(32, 32) class AuditLogPassChangeTests(AuditLogTestBase): def setUp(self): self.message_type = MSG_DSDB_PWD_LOG self.event_type = DSDB_PWD_EVENT_NAME super().setUp() self.server_ip = os.environ["SERVER_IP"] host = "ldap://%s" % os.environ["SERVER"] self.ldb = SamDB(url=host, session_info=system_session(), credentials=self.get_credentials(), lp=self.get_loadparm()) self.server = os.environ["SERVER"] # Gets back the basedn self.base_dn = self.ldb.domain_dn() # Get the old "dSHeuristics" if it was set dsheuristics = self.ldb.get_dsheuristics() # Set the "dSHeuristics" to activate the correct "userPassword" # behaviour self.ldb.set_dsheuristics("000000001") # Reset the "dSHeuristics" as they were before self.addCleanup(self.ldb.set_dsheuristics, dsheuristics) # Get the old "minPwdAge" minPwdAge = self.ldb.get_minPwdAge() # Set it temporarily to "0" self.ldb.set_minPwdAge("0") self.base_dn = self.ldb.domain_dn() # Reset the "minPwdAge" as it was before self.addCleanup(self.ldb.set_minPwdAge, minPwdAge) # (Re)adds the test user USER_NAME with password USER_PASS delete_force(self.ldb, "cn=" + USER_NAME + ",cn=users," + self.base_dn) delete_force( self.ldb, "cn=" + SECOND_USER_NAME + ",cn=users," + self.base_dn) self.ldb.add({ "dn": "cn=" + USER_NAME + ",cn=users," + self.base_dn, "objectclass": "user", "sAMAccountName": USER_NAME, "userPassword": USER_PASS }) # # Discard the messages from the setup code # def discardSetupMessages(self, dn): self.waitForMessages(1, dn=dn) self.discardMessages() def test_net_change_password(self): dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn self.discardSetupMessages(dn) creds = self.insta_creds(template=self.get_credentials()) lp = self.get_loadparm() net = Net(creds, lp, server=self.server) password = "newPassword!!42" net.change_password(newpassword=password, username=USER_NAME, oldpassword=USER_PASS) messages = self.waitForMessages(1, net, dn) print("Received %d messages" % len(messages)) self.assertEqual(1, len(messages), "Did not receive the expected number of messages") audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_PASSWORD_CHANGE, audit["eventId"]) self.assertEqual("Change", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertRegex(audit["remoteAddress"], self.remoteAddress) session_id = self.get_session() self.assertEqual(session_id, audit["sessionId"]) service_description = self.get_service_description() self.assertEqual(service_description, "DCE/RPC") self.assertTrue(self.is_guid(audit["transactionId"])) def test_net_set_password_user_without_permission(self): dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn self.discardSetupMessages(dn) self.ldb.newuser(SECOND_USER_NAME, SECOND_USER_PASS) # # Get the password reset from the user add # dn = "CN=" + SECOND_USER_NAME + ",CN=Users," + self.base_dn messages = self.waitForMessages(1, dn=dn) print("Received %d messages" % len(messages)) self.assertEqual(1, len(messages), "Did not receive the expected number of messages") audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_PASSWORD_RESET, audit["eventId"]) self.assertEqual("Reset", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertRegex(audit["remoteAddress"], self.remoteAddress) session_id = self.get_session() self.assertEqual(session_id, audit["sessionId"]) service_description = self.get_service_description() self.assertEqual(service_description, "LDAP") self.assertTrue(self.is_guid(audit["transactionId"])) self.assertEqual(0, audit["statusCode"]) self.assertEqual("Success", audit["status"]) self.discardMessages() creds = self.insta_creds( template=self.get_credentials(), username=SECOND_USER_NAME, userpass=SECOND_USER_PASS, kerberos_state=None) lp = self.get_loadparm() net = Net(creds, lp, server=self.server) password = "newPassword!!42" domain = lp.get("workgroup") try: net.set_password(newpassword=password, account_name=USER_NAME, domain_name=domain) self.fail("Expected exception not thrown") except Exception: pass dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn messages = self.waitForMessages(1, net, dn=dn) print("Received %d messages" % len(messages)) self.assertEqual(1, len(messages), "Did not receive the expected number of messages") audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_PASSWORD_RESET, audit["eventId"]) self.assertEqual("Reset", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertRegex(audit["remoteAddress"], self.remoteAddress) session_id = self.get_session() self.assertEqual(session_id, audit["sessionId"]) service_description = self.get_service_description() self.assertEqual(service_description, "DCE/RPC") self.assertTrue(self.is_guid(audit["transactionId"])) self.assertEqual(ERR_INSUFFICIENT_ACCESS_RIGHTS, audit["statusCode"]) self.assertEqual("insufficient access rights", audit["status"]) def test_net_set_password(self): dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn self.discardSetupMessages(dn) creds = self.insta_creds(template=self.get_credentials()) lp = self.get_loadparm() net = Net(creds, lp, server=self.server) password = "newPassword!!42" domain = lp.get("workgroup") net.set_password(newpassword=password, account_name=USER_NAME, domain_name=domain) dn = "CN=" + USER_NAME + ",CN=Users," + self.base_dn messages = self.waitForMessages(1, net, dn) print("Received %d messages" % len(messages)) self.assertEqual(1, len(messages), "Did not receive the expected number of messages") audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_PASSWORD_RESET, audit["eventId"]) self.assertEqual("Reset", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertRegex(audit["remoteAddress"], self.remoteAddress) session_id = self.get_session() self.assertEqual(session_id, audit["sessionId"]) service_description = self.get_service_description() self.assertEqual(service_description, "DCE/RPC") session_id = self.get_session() self.assertEqual(session_id, audit["sessionId"]) self.assertTrue(self.is_guid(audit["transactionId"])) def test_ldap_change_password(self): dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn self.discardSetupMessages(dn) new_password = samba.generate_random_password(32, 32) self.ldb.modify_ldif( "dn: " + dn + "\n" + "changetype: modify\n" + "delete: userPassword\n" + "userPassword: " + USER_PASS + "\n" + "add: userPassword\n" + "userPassword: " + new_password + "\n") messages = self.waitForMessages(1, dn=dn) print("Received %d messages" % len(messages)) self.assertEqual(1, len(messages), "Did not receive the expected number of messages") audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_PASSWORD_CHANGE, audit["eventId"]) self.assertEqual("Change", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertRegex(audit["remoteAddress"], self.remoteAddress) self.assertTrue(self.is_guid(audit["sessionId"])) session_id = self.get_session() self.assertEqual(session_id, audit["sessionId"]) service_description = self.get_service_description() self.assertEqual(service_description, "LDAP") self.assertTrue(self.is_guid(audit["transactionId"])) def test_ldap_replace_password(self): dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn self.discardSetupMessages(dn) new_password = samba.generate_random_password(32, 32) self.ldb.modify_ldif( "dn: " + dn + "\n" + "changetype: modify\n" + "replace: userPassword\n" + "userPassword: " + new_password + "\n") messages = self.waitForMessages(1, dn=dn) print("Received %d messages" % len(messages)) self.assertEqual(1, len(messages), "Did not receive the expected number of messages") audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_PASSWORD_RESET, audit["eventId"]) self.assertEqual("Reset", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertRegex(audit["remoteAddress"], self.remoteAddress) self.assertTrue(self.is_guid(audit["sessionId"])) session_id = self.get_session() self.assertEqual(session_id, audit["sessionId"]) service_description = self.get_service_description() self.assertEqual(service_description, "LDAP") self.assertTrue(self.is_guid(audit["transactionId"])) def test_ldap_add_user(self): # The setup code adds a user, so we check for the password event # generated by it. dn = "cn=" + USER_NAME + ",cn=users," + self.base_dn messages = self.waitForMessages(1, dn=dn) print("Received %d messages" % len(messages)) self.assertEqual(1, len(messages), "Did not receive the expected number of messages") # # The first message should be the reset from the Setup code. # audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_PASSWORD_RESET, audit["eventId"]) self.assertEqual("Reset", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertRegex(audit["remoteAddress"], self.remoteAddress) session_id = self.get_session() self.assertEqual(session_id, audit["sessionId"]) service_description = self.get_service_description() self.assertEqual(service_description, "LDAP") self.assertTrue(self.is_guid(audit["sessionId"])) self.assertTrue(self.is_guid(audit["transactionId"])) # These are some valid BinaryDN prefixes for # msDS-KeyCredentialLink values. kcl_prefixes = [ ("B:772:000200002000012849ABF23C432F5428756A641827A6CD2E4A4F40" "9F4DE57BA152B7C2F31E46EC200002A5499B70EC0FBEF4BCB78AF3878D08" "2B2D43527BBAA230462707947C128BAF4226010330820122300D06092A86" "4886F70D01010105000382010F003082010A02820101009A16283EA51D94" "11FD54C73615D90E4B3B8DAF152D699A79C3B217DDBA7787DE419E3E31E6" "012088FD9B4EC0EA9199E91EBE2F99F48A4E7084D819CF76C67C58F5050E" "E5428B09676CA475EADFAD91FBEF2835820BE4CDE3F3A3B33DB6A0C75956" "47CA8489566EBCF6B748DC637EC2D34D255E008DAF93F3DC77478B7526DE" "5A6B4638FC50A622233C2BBA935A0E2BBA6DDCE32D539E57AD12FAA7BA33" "1C92D32E54E05290132E66D25476458FDDFBF4940DA97F19B63C30EFE0EF" "1F77A2751CD8EAA7EF6DFA54FF0B3500D9E66A1ECC9D435FF0206EA27047" "8A37CD9F949EB6CA82925A138C5852C5C763AD6EA60003FCE5C7D486382B" "8E347B8CF6645F449902030100010100040108000900CB9A52E817DC01:"), ("B:772:00020000200001E251886DDA8335FA6A9B311F1FE4ABCDA7C04F05" "33668BA7B143760C675703BB200002E324A0CCE2393C603686A0C7828B53" "77A9B5E8C639131F657C3CEB39EDED7D4F26010330820122300D06092A86" "4886F70D01010105000382010F003082010A0282010100A5DF595B4E0F36" "9A4EF8CD5A2F6AF9322460C14175DDB7DE5F3A494A7591EC1096A5150800" "F80401F7D8739C8900165035E231E85AA0E39A9C75BE760764BCDC82A4CB" "955D84AFA47A8CACC35BAB6775478BF214A81726263D79CAA1623EA60DAB" "2C61CAE29905FE4A89467736F47ADCA27170DBC77F5A82E28075E4D44FB9" "76FFF5400B1AFC21B57C52718864253D57E780DEF8F40C990D30FB253831" "BC95B01EEFFB312E52F7B773CFB1FF9E48A40B9C82E6B176464087C862F5" "EA1D38809CF6454A8F169B993FFA857D1D928E4488EB13C947EE847D30F1" "7CF1FAA85DE6AFD07ED82504C024E0CEA5B47E02515E57C3258963E80137" "15EB0D3B126067A79F02030100010100040108000900CB9A52E817DC01:"), ("B:772:0002000020000118ADEEC2CBCC63FCA44F332CAE39275E12CB881F" "68B582ED2F3982718832126120000269F60B033A8697DB69835A356C9263" "1CF87FDE6E448F3426285B3978E85C385C26010330820122300D06092A86" "4886F70D01010105000382010F003082010A0282010100CADFE83AC8FCE1" "B7A999AE162DC6BD6CC53D686E6F0CB866AFADCF64F736249E2CB4F438E2" "78B636C4151C540BC4677821E66E6D88E6875A6B9B4F473D41C1C05376A4" "F929076E515698F076F1F1BBEB25AAE062C9973D6436E3E4B48F74B5C0A5" "B1FAD5026B8AB9E021849FFF8D18E54643C5F5FB57590BDC1CBC747C53CE" "A696D5379EE3678E8AE015E2AE4AEA5B79F03E953D415986197F00D876E1" "D23A28CC944901FCE5A902C9671CC46D7AA7F349F4F80CEF74FF035AEAEE" "30D6FD8F907B08C9A23031B9E44AC84A4010BFA06A468D94B034DDF202A7" "1B20663864703AC8205CE7C60B5FC18253C94CB8389381E05DB70B08BCCC" "EE58A5E81BA2FE18AD02030100010100040108000980613353E817DC01:"), ] def test_ldap_key_credential_link(self): """Test logging of msDS-KeyCredentialLink public key changes. """ # The restrictions on msDS-KeyCredentialLink changes work # different from those on the password attributes. We don't # care about dsHeuristics, minPwdAge, etc, but we do care # about things like GUID_DRS_DS_VALIDATED_WRITE_COMPUTER and # ACLs. # # To avoid all the set-up cost of making a fresh DB and user, # we use sub-tests in this test. # # See source4/dsdb/tests/pythpn/key_credential_link.py for # deeper tests of the restrictions on setting this attribute. dn = f"cn={USER_NAME},cn=users,{self.base_dn}" self.discardSetupMessages(dn) kcls = [f"{x}{dn}" for x in self.kcl_prefixes] session_id = self.get_session() service_description = self.get_service_description() self.assertEqual(service_description, "LDAP") self._test_ldap_authentication_information( "msDS-keyCredentialLink", kcls) transactions_seen = set() with self.subTest("add bad KCL DN value"): self.ldb.modify_ldif( f"dn: {dn}\n" "changetype: modify\n" "replace: msDS-keyCredentialLink\n" f"msDS-keyCredentialLink: B:4:f1ea:{dn}\n") messages = self.waitForMessages(1, dn=dn) self.discardMessages() audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_DIRECTORY_OBJECT_CHANGE, audit["eventId"]) self.assertEqual("Public key change", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertIn(self.remoteAddress, audit["remoteAddress"]) self.assertEqual(session_id, audit["sessionId"]) self.assertEqual(0, audit["statusCode"]) transactions_seen.add(audit["transactionId"]) with self.subTest("add a second DN value"): # should this fail? self.ldb.modify_ldif( f"dn: {dn}\n" "changetype: modify\n" "add: msDS-keyCredentialLink\n" f"msDS-keyCredentialLink: B:4:f1ee:{dn}\n") messages = self.waitForMessages(1, dn=dn) self.discardMessages() audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_DIRECTORY_OBJECT_CHANGE, audit["eventId"]) self.assertEqual("Public key change", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertIn(self.remoteAddress, audit["remoteAddress"]) self.assertEqual(session_id, audit["sessionId"]) self.assertEqual(0, audit["statusCode"]) transactions_seen.add(audit["transactionId"]) # these should all have been separate transactions with self.subTest("check transactions"): self.assertEqual(len(transactions_seen), 2) for t in transactions_seen: self.assertTrue(self.is_guid(t)) with self.subTest("add bad Binary DN value"): for bad_dn in ('B:6:f1ea:{dn}', 'flea', dn): with self.assertRaises(LdbError) as e: self.ldb.modify_ldif( f"dn: {dn}\n" "changetype: modify\n" "replace: msDS-keyCredentialLink\n" f"msDS-keyCredentialLink: {bad_dn}\n") self.assertEqual(e.exception.args[0], ERR_INVALID_DN_SYNTAX) # no messages from those the 3 bad DNs # because DN syntax check comes first messages = self.waitForMessages(1, dn=dn) self.assertEqual(0, len(messages)) def _test_ldap_authentication_information(self, attribute, values): """Test logging of authentication information changes. """ # # To avoid all the set-up cost of making a fresh DB and user, # we use sub-tests in this test. # dn = f"cn={USER_NAME},cn=users,{self.base_dn}" self.discardSetupMessages(dn) session_id = self.get_session() service_description = self.get_service_description() self.assertEqual(service_description, "LDAP") transactions_seen = set() with self.subTest("initial setup"): self.ldb.modify_ldif( f"dn: {dn}\n" "changetype: modify\n" f"add: {attribute}\n" f"{attribute}: {values[0]}\n") messages = self.waitForMessages(1, dn=dn) print("Received %d messages" % len(messages)) self.assertEqual(1, len(messages)) audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_DIRECTORY_OBJECT_CHANGE, audit["eventId"]) self.assertEqual("Public key change", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertIn(self.remoteAddress, audit["remoteAddress"]) self.assertEqual(session_id, audit["sessionId"]) transactions_seen.add(audit["transactionId"]) self.assertEqual(0, audit["statusCode"]) self.discardMessages() with self.subTest("replace"): self.ldb.modify_ldif( f"dn: {dn}\n" "changetype: modify\n" f"replace: {attribute}\n" f"{attribute}: {values[1]}\n") messages = self.waitForMessages(1, dn=dn) print("Received %d messages" % len(messages)) self.assertEqual(1, len(messages)) audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_DIRECTORY_OBJECT_CHANGE, audit["eventId"]) self.assertEqual("Public key change", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertIn(self.remoteAddress, audit["remoteAddress"]) self.assertTrue(self.is_guid(audit["sessionId"])) transactions_seen.add(audit["transactionId"]) self.discardMessages() with self.subTest("constrained replace"): self.ldb.modify_ldif( f"dn: {dn}\n" "changetype: modify\n" f"delete: {attribute}\n" f"{attribute}: {values[1]}\n" f"add: {attribute}\n" f"{attribute}: {values[2]}\n") messages = self.waitForMessages(1, dn=dn) print("Received %d messages" % len(messages)) self.assertEqual(1, len(messages)) audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_DIRECTORY_OBJECT_CHANGE, audit["eventId"]) self.assertEqual("Public key change", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertIn(self.remoteAddress, audit["remoteAddress"]) self.assertEqual(session_id, audit["sessionId"]) self.assertEqual(0, audit["statusCode"]) transactions_seen.add(audit["transactionId"]) self.discardMessages() with self.subTest("identical replace"): # replacing the value with itself still sends the message. self.ldb.modify_ldif( f"dn: {dn}\n" "changetype: modify\n" f"replace: {attribute}\n" f"{attribute}: {values[2]}\n") messages = self.waitForMessages(1, dn=dn) print("Received %d messages" % len(messages)) self.assertEqual(1, len(messages)) audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_DIRECTORY_OBJECT_CHANGE, audit["eventId"]) self.assertEqual("Public key change", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertIn(self.remoteAddress, audit["remoteAddress"]) self.assertEqual(session_id, audit["sessionId"]) self.assertEqual(0, audit["statusCode"]) transactions_seen.add(audit["transactionId"]) self.discardMessages() with self.subTest("replace authentication information AND password"): # there should be two messages self.ldb.modify_ldif( f"dn: {dn}\n" "changetype: modify\n" f"replace:{attribute}\n" f"{attribute}: {values[0]}\n" "replace: userPassword\n" "userPassword: gruffalo3.\n") messages = self.waitForMessages(2, dn=dn) self.assertEqual(2, len(messages)) pwd_audit = messages[0]["passwordChange"] kcl_audit = messages[1]["passwordChange"] # we send the password message first, but we don't need to # depend on that. if pwd_audit["eventId"] == EVT_ID_DIRECTORY_OBJECT_CHANGE: kcl_audit, pwd_audit = pwd_audit, kcl_audit del audit self.assertEqual(EVT_ID_DIRECTORY_OBJECT_CHANGE, kcl_audit["eventId"]) self.assertEqual(EVT_ID_PASSWORD_RESET, pwd_audit["eventId"]) self.assertEqual("Public key change", kcl_audit["action"]) self.assertEqual("Reset", pwd_audit["action"]) # if we delete the action and eventId, the rest of # structures should be the same (sessionId, transactionId, # version, etc). Timestamps are in the outer message. del pwd_audit["eventId"] del pwd_audit["action"] del kcl_audit["eventId"] del kcl_audit["action"] # replacing an authentication information value with itself # still sends the message. self.assertEqual(kcl_audit, pwd_audit) transactions_seen.add(pwd_audit["transactionId"]) self.discardMessages() with self.subTest("delete"): self.ldb.modify_ldif( f"dn: {dn}\n" "changetype: modify\n" f"delete: {attribute}\n" f"{attribute}: {values[0]}\n") messages = self.waitForMessages(1, dn=dn) print("Received %d messages" % len(messages)) self.assertEqual(1, len(messages)) audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_DIRECTORY_OBJECT_CHANGE, audit["eventId"]) self.assertEqual("Public key change", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertIn(self.remoteAddress, audit["remoteAddress"]) self.assertEqual(session_id, audit["sessionId"]) self.assertEqual(0, audit["statusCode"]) transactions_seen.add(audit["transactionId"]) self.discardMessages() with self.subTest("delete that which does not exist"): # still sends a message with self.assertRaises(LdbError) as e: self.ldb.modify_ldif( f"dn: {dn}\n" "changetype: modify\n" f"delete: {attribute}\n" f"{attribute}: {values[2]}\n") self.assertEqual(e.exception.args[0], ERR_NO_SUCH_ATTRIBUTE) messages = self.waitForMessages(1, dn=dn) print("Received %d messages" % len(messages)) # We still get the message on a failed attempt self.assertEqual(1, len(messages)) audit = messages[0]["passwordChange"] self.assertEqual(EVT_ID_DIRECTORY_OBJECT_CHANGE, audit["eventId"]) self.assertEqual("Public key change", audit["action"]) self.assertEqual(dn, audit["dn"]) self.assertIn(self.remoteAddress, audit["remoteAddress"]) self.assertEqual(session_id, audit["sessionId"]) transactions_seen.add(audit["transactionId"]) self.discardMessages() with self.subTest("check status code"): self.assertEqual(ERR_NO_SUCH_ATTRIBUTE, audit["statusCode"]) self.assertEqual("No such attribute", audit["status"]) # these should all have been separate transactions with self.subTest("check transactions"): self.assertEqual(len(transactions_seen), 7) for t in transactions_seen: self.assertTrue(self.is_guid(t))